Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
-
Size
356KB
-
MD5
fd5f67b71543f0d0b620161bfcd1151c
-
SHA1
c8c938f4edbf3793b6c8b680b3474879c8185ed9
-
SHA256
730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000
-
SHA512
48a39c34c3247fa5a7ae9e4e2a1a5e254aca691a170b8d64dd211f67aad0e6841676120585b9839bbbbd6dc39484bf17e417e6d80e724f9129c716f6d411281c
-
SSDEEP
6144:7vbx8GUoAxgeWj2geARcUPuLrB3cp6FWw21EN:7NVAx2LULN3QEWwOk
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2648 gTsei4KNX0Kr.exe -
Executes dropped EXE 2 IoCs
pid Process 2960 gTsei4KNX0Kr.exe 2648 gTsei4KNX0Kr.exe -
Loads dropped DLL 5 IoCs
pid Process 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 2960 gTsei4KNX0Kr.exe 2648 gTsei4KNX0Kr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\mWFqTcPSebaUubiZ = "C:\\ProgramData\\E3IwONGj\\gTsei4KNX0Kr.exe" fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2864 set thread context of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2960 set thread context of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2648 set thread context of 2608 2648 gTsei4KNX0Kr.exe 31 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2912 2864 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 28 PID 2912 wrote to memory of 2960 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 29 PID 2912 wrote to memory of 2960 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 29 PID 2912 wrote to memory of 2960 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 29 PID 2912 wrote to memory of 2960 2912 fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe 29 PID 2960 wrote to memory of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2960 wrote to memory of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2960 wrote to memory of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2960 wrote to memory of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2960 wrote to memory of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2960 wrote to memory of 2648 2960 gTsei4KNX0Kr.exe 30 PID 2648 wrote to memory of 2608 2648 gTsei4KNX0Kr.exe 31 PID 2648 wrote to memory of 2608 2648 gTsei4KNX0Kr.exe 31 PID 2648 wrote to memory of 2608 2648 gTsei4KNX0Kr.exe 31 PID 2648 wrote to memory of 2608 2648 gTsei4KNX0Kr.exe 31 PID 2648 wrote to memory of 2608 2648 gTsei4KNX0Kr.exe 31 PID 2648 wrote to memory of 2608 2648 gTsei4KNX0Kr.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe"C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe"C:\ProgramData\E3IwONGj\gTsei4KNX0Kr.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Windows Sidebar\sidebar.exe"C:\Program Files (x86)\Windows Sidebar\sidebar.exe" /i:26485⤵PID:2608
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD5fd5f67b71543f0d0b620161bfcd1151c
SHA1c8c938f4edbf3793b6c8b680b3474879c8185ed9
SHA256730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000
SHA51248a39c34c3247fa5a7ae9e4e2a1a5e254aca691a170b8d64dd211f67aad0e6841676120585b9839bbbbd6dc39484bf17e417e6d80e724f9129c716f6d411281c